iOS hacker and security researcher Pod2g has uncovered a major SMS security flaw with the iPhone that could lead to text message spoofing. The problem is with the way in which the iPhone handles text messages, and it’s present in the latest version of iOS — including the iOS 6 beta 4 release. However, Pod2g insists he’s pleading with Apple to get it fixed.

In a post on his blog, Pod2g explains the issue, and why it’s a particular problem with the iPhone:

A SMS text is basically a few bytes of data exchanged between two mobile phones, with the carrier transporting the information. When the user writes a message, it is converted to PDU (Protocol Description Unit) by the mobile and passed to the baseband for delivery.

[…] In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

Most carriers don’t check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

Why is this a problem with the iPhone? Because on the iPhone, when you receive a text message, you only see the “reply-to” number — not the original one. Pod2g then provides a number of examples in which this could be a serious security issue.

For example, it could be used to send phishing that appear to come from your bank, but actually go to a different recipient when you reply.

It’s unclear how easy it is for hackers to intercept your messages, but Pod2g considers this a “severe” security flaw. He also explained that he’s confident other security researchers will already be aware of the issue, and “some pirates as well.”

From what I’ve deducted from the article, your example of being able to send a fake message is incorrect. You state that the iPhone only displays the reply-to number, which means that — if you were to reply to the message — it’d go to the number displayed (i.e. the bank’s number). It’d be a better example to say that one could receive an SMS from one’s bank, with instructions to visit a malicious URL, or to call a malicious support number.

This is similar to spoofing your IP address. You can put anything you want in the origin field of your IP packet, but the remote host will reply to the packet by sending a packet back to the source IP, which you spoofed to something that (presumably) isn’t under your control.

Is this the case, or does the iPhone reply to the actual number that sent the message, whilst only using the reply-to number to display the message?

theobserving

Does your bank contact you via text regularly, without prompting, to perform sensitive functions? None do that I know of. You have to initiate the communication.

macstuffdaily

Your logic here is flawed. If as you state “on the iPhone, when you receive a text message, you only see the “reply-to” number” the this statement: “it could be used to send phishing that appear to come from your bank, but actually go to a different recipient when you reply” is incorrect.

If you ONLY see the “reply-to” number then someone could send a text from number xxx-xxx-xxxx and if could appear to have come from your “bank” (friend, employer, etc.) at number yyy-yyy-yyyy but when you reply-to this message it would be sent to the yyy-yyy-yyyy.

This way this could be used for phishing is to send a text from your “bank” which in turn directed the user to a phishing site, otherwise your bank would get a confusing text message about your account info

Unless Apple is so daft as to reply-to the original number while showing the “reply-to”

EllenynqLisa

what Michael answered I didn’t know that anyone can get paid $4630 in a few weeks on the computer. have you read this page(Click on menu Home more information) http://goo.gl/4nzs6

Gkpm

How is this specific to the iPhone? Or a major security flaw?

The ability to spoof SMS “From” numbers has been around since the first mobile phones, there’s just no security.

There are hundreds of sites on the Internet that send SMSs with whatever spoofed number you want, to any phone you want – iPhone or not.

It’s the same with Caller ID, again very easy to fake.

Singh Amardeep

Jailbreak Community is the reason why Apple’s iOS is so secure now. Unlike Sony, they don’t go after the Jailbreak Community and Sue them…Apple lets the Jailbreak Community find flaws in their iOS and fixes them in every update to make the iOS experience more secure in every update. Further more isn’t it great that they have people finding flaws in their iOS for free? lol

About the author

Killian Bell is a staff writer based in the U.K. He has an interest in all things tech and also covers Android over at CultofAndroid.com. You can follow him on Twitter via @killianbell.

(sorry, you need Javascript to see this e-mail address) | Read more posts by Killian Bell.